Enhanced monitoring of key components which can detect system failures and prevent outages before they occur

You can use reports and dashboards to monitor activity as it is happening, then drill down into events and do a root-cause analysis to learn why something happened. If there are patterns and correlations in events that you monitor, you can use them to predict future activity. With this knowledge, you can proactively send alerts based on thresholds and perform "what-if" analyses to compare various scenarios.

Commands for time series forecasting

The Splunk search language includes two forecasting commands: predict and x11.

The predict command enables you to use different forecasting algorithms to predict future values of single and multivalue fields.

The x11 command, which is named after the X11 algorithm, removes seasonal fluctuations in fields to expose the real trend in your underlying data series.

Forecasting algorithms

You can select from the following algorithms with the predict command: LL, LLP, LLT, LLB, and LLP5. Each of these algorithms are variations of the Kalman filter.

Algorithm option

Algorithm name

Description

LL

Local level

This is a univariate model with no trends and no seasonality. Requires a minimum of 2 data points.

LLP

Seasonal local level

This is a univariate model with seasonality. The periodicity of the time series is automatically computed. Requires the minimum number of data points to be twice the period.

LLT

Local level trend

This is a univariate model with trend but no seasonality. Requires a minimum of 3 data points.

LLB

Bivariate local level

This is a bivariate model with no trends and no seasonality. Requires a minimum of 2 data points. LLB uses one set of data to make predictions for another. For example, assume it uses dataset Y to make predictions for dataset X. If the holdback=10, the LLB algorithm uses the last 10 data points of Y to make predictions for the last 10 data points of X.

Forecasting seasonality with the x11 command

The seasonal component of your time-series data is either additive or multiplicative, which is reflected in the two types of seasonality that you can calculate with the x11 command: add() for additive and mult() for multiplicative.

How do you know which type of seasonality to adjust from your data? The best way to describe the difference between an additive and a multiplicative seasonal component is with an example: The annual sales of flowers will peak on and around certain days of the year, such as Valentine's Day and Mother's Day.

During Valentine's Day, the sale of roses might increase by X dollars every year. This dollar amount is independent of the normal level of the series, and you can add X dollars to your forecasts for Valentine's Day every year, making this time series a candidate for an additive seasonal adjustment. In an additive seasonal adjustment, each value of a time series is adjusted by adding or subtracting a quantity that represents the absolute amount by which that value differs from normal in that season.

Alternatively, in a multiplicative seasonal component, the seasonal effect expresses itself in percentage terms. The absolute magnitude of the seasonal variations increases as the series grows over time. For example, the number of roses sold during Valentine's Day might increase by 40% or a factor of 1.4. When the sales of roses is generally weak, the absolute (dollar) increase in Valentine's Day sales will also be relatively weak. However, the percentage will be constant. And, if the sales of roses are strong, then the absolute (dollar) increase will be proportionately greater. In a multiplicative seasonal adjustment, this pattern is removed by dividing each value of the time series by a quantity that represents the percentage from normal or divided by a factor that is typically observed in that season.

When plotted on a chart, these two types of seasonal components show distinguishing characteristics:

The additive seasonal series shows steady seasonal fluctuations, regardless of the overall level of the series.

The multiplicative seasonal series shows varying size of seasonal fluctuations that depend on the overall level of the series.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »